b'                       UNITED STATES DEPARTMENT OF AGRICULTURE\n                                  OFFICE OF INSPECTOR GENERAL\n\n                                       Washington D.C. 20250\n\n\nFebruary 27, 2007\n\n\nREPLY TO\nATTN OF:      50501-8-FM\n\nTO:           David M. Combs\n              Chief Information Officer\n              Office of the Chief Information Officer\n\n              Kevin Brown\n              Deputy Chief for Management\n              Natural Resources Conservation Service\n\n              Sherie Hinton-Henry\n              Deputy Administrator\n               for Operations Management\n              Rural Development\n\n              Teresa C. Lasseter\n              Administrator\n              Farm Service Agency\n\nFROM:         Robert W. Young       /s/\n              Assistant Inspector General\n               for Audit\n\nSUBJECT:      Information Technology \xe2\x80\x93 Stolen Computer Equipment Containing\n              Sensitive Information\n\n\nWe have completed our review of the Department of Agriculture\xe2\x80\x99s (USDA) controls over stolen\ncomputer equipment for the Farm Service Agency (FSA), Natural Resources Conservation\nService (NRCS), and Rural Development (RD) at the Information Technology Services (ITS)\nfield sites. This letter represents the results of our review. Our objective was to determine, to\nthe extent possible, what information resided on the stolen computers and what sensitive\ninformation currently resides on the existing computers.\n\nWe found that controls over stolen computer equipment were lacking in FSA, NRCS, RD, and\nITS. Specifically, we found that Privacy Act/Sensitive information was stored on computers that\nwere stolen. In addition, the agencies did not notify the individuals whose information may\n\x0cDavid M. Combs et al.                                                                        2\n\n\nhave been compromised. These agencies lacked policies and procedures to adequately notify\nproper authorities and affected parties when thefts of computer equipment occurred. Prior to a\nJune 23, 2006, Office of Management and Budget (OMB) memorandum requiring improved\nsecurity over sensitive information, Office of the Chief Information Officer (OCIO) had\nprovided agencies limited guidance on actions to take if computers were lost or stolen. OCIO\ndid provide additional direction to the agencies after the OMB issuance, but the guidance still\nwas not specific on procedures to determine whether personally identifiable information was\ncontained on the computers. As a result, personally identifiable information of USDA customers\nand employees may have been lost and is at risk for improper use.\n\nBACKGROUND\n\nDuring recent months, the disclosure or theft of Privacy Act/Sensitive information has received\nrenewed attention within the Government. A high profile theft of equipment carrying millions of\nPrivacy Act/Sensitive records led the OMB to issue new mandates on securing this type of\ninformation. On June 23, 2006, OMB issued Memorandum M-06-16, \xe2\x80\x9cProtection of Sensitive\nAgency Information,\xe2\x80\x9d which required agencies to encrypt information, within 45 days, on all\nmobile computers/devices which carry agency information unless the information is determined\nto be non-sensitive. In addition, OCIO has issued several memorandums concerning lost or\nstolen computer equipment. In a June 27, 2006, memorandum, OCIO required agencies to\nreview lost or stolen items containing sensitive information and report it as an incident. We\nnoted that the agencies in our review had reported back to OCIO that computer equipment had\nbeen stolen but it was unknown as to whether Privacy Act/Sensitive information was on the\ncomputers.\n\nOBJECTIVE\n\nThe primary objective was to determine, to the extent possible, what information resided on the\nstolen computers and what sensitive information currently resides on the existing computers.\n\nSCOPE\n\nOur scope was computers reported stolen at the subject agencies from October 1, 2005, through\nMay 31, 2006. We obtained a listing of stolen computers from ITS. ITS did not track, report\nand monitor these items, but generated the listing after we requested it. In total there\nwere 95 pieces of computer equipment on the list. Exhibit A documents our sample of locations\nvisited and where phone interviews were conducted.\n\nMETHODOLOGY\n\nWe interviewed IT specialists and computer users at the locations contained in Exhibit A. In\naddition, we downloaded directory information from the ITS Large Office in Kansas City,\n\x0cDavid M. Combs et al.                                                                          3\n\n\nMissouri, in an attempt to identify file names that could indicate the presence of Privacy\nAct/Sensitive information.\n\nRESULTS\n\nIn a July 25, 2006, letter to Congress, USDA reported only eight incidents of Privacy\nAct/Sensitive information that had been compromised since 2003. Our review showed that\nUSDA\xe2\x80\x99s report to Congress was not accurate and that the true number of incidents may not be\nknown because of inadequate guidance requiring agencies to track and report information on\nstolen computer equipment. As evidenced in our review, we found nine additional incidents of\ncompromised Privacy Act/Sensitive information in the limited 8-month scope of our review.\n\nPrior to the OMB memorandum, OCIO had provided limited guidance on what agencies were\nrequired to do when equipment was stolen and/or lost. Agencies were not tracking, reporting, or\nfollowing up on stolen or lost equipment. The lack of guidance and procedures led to the\ninaccurate reporting to Congress, as noted above. ITS did not track, monitor, and report on\nstolen computer equipment and only generated a list of the equipment based upon our request.\nSince our request for the stolen item list, OCIO has issued some guidance to agencies and drafted\ninternal procedures on how to handle stolen or lost computer equipment. However, OCIO had\nnot issued Departmentwide guidance addressing agency requirements for tracking and reporting\nlost and stolen computers and for determining the types of information stored on the computers.\n\nWe began our review by examining the stolen computer spreadsheet provided by ITS. In total,\nthere were 95 computers stolen from October 1, 2005, through May 31, 2006. We judgmentally\nselected a sample of 66 of the 95 stolen computers at 9 service center locations throughout the\ncountry. Our sample selection was based upon multiple computers being stolen at a site and the\nsite locations. We interviewed the users of the computers to determine if they knew whether\nPrivacy Act/Sensitive information was on the computers when the devices were stolen. In\naddition, we scanned current computers at the locations to determine whether Privacy\nAct/Sensitive information was presently on the equipment to determine the likeliness of this\ninformation being present when similar equipment was stolen. We noted:\n\n   \xe2\x80\xa2   9 instances where the user was aware of Privacy Act/Sensitive information present on the\n       machine when it was stolen.           Information on the lost computers included\n       producer/borrower names, addresses, social security numbers, and payment information;\n\n   \xe2\x80\xa2   55 instances where the user was unaware of followup by the agency or OCIO to\n       determine if Privacy Act/Sensitive information was actually on the stolen computer;\n\n   \xe2\x80\xa2   7 instances where external storage devices were stolen along with the computer and the\n       users said that there was no Privacy Act/Sensitive information on any of the equipment;\n\n   \xe2\x80\xa2   66 instances where no encryption was present on the computer;\n\x0cDavid M. Combs et al.                                                                             4\n\n\n   \xe2\x80\xa2   26 instances where the users were not aware of any policies or procedures regarding\n       stolen equipment; and\n\n   \xe2\x80\xa2   27 instances where users were not aware whether the theft was reported to the Office of\n       Inspector General.\n\nAgency information technology personnel all stated that Privacy Act/Sensitive information was\nnot stored on the computers, but was stored on the server. Our review disclosed that this was not\nthe case. For example, one agency downloaded Privacy Act/Sensitive information onto the\nlaptop/desktop computers and then uploaded this information to the server once the user was\nfinished with the information. However, a flaw in the programming did not always delete the\ninformation from computers when the information was uploaded. Our scan of current equipment\nat our sample locations disclosed over 2,000 files of Privacy Act/Sensitive information on the\ncomputers during the time of our scanning. This information included producer names,\naddresses, social security numbers, and payment information similar to what we found during\nour testing. The agency has since stated that the programming flaw has been fixed.\n\nThere were limited controls in place to ensure that users do not download Privacy Act/Sensitive\ninformation from the server onto the computers. Although the default setting on computers is to\nstore all information on the server, the user can change the default at anytime he/she saves a file.\nThe information that is stored on the server or is accessed over the internet can leave Privacy\nAct/Sensitive information on the local machine. Items such as Temporary Internet Files,\nRecycle Bins, Virtual Memory, and unallocated space could allow a knowledgeable individual to\nretrieve this information.\n\nOCIO must rely on the agency\xe2\x80\x99s due diligence in tracking and reporting computer equipment that\nhas been stolen, as well as in determining whether the equipment may have contained Privacy\nAct/Sensitive information. Until Departmentwide encryption is effectively enforced, OCIO\ncannot be assured that all information is adequately secured and protected. Since the audit was\ncompleted, it appears that the Department has made efforts to improve the tracking, reporting\nand monitoring of stolen equipment.\n\nIn response to the data call, we were told by the OCIO (see exhibit B) that many agency officials\ncould not confirm whether or not Privacy Act/Sensitive information existed on the lost or stolen\nequipment, primarily because of the length of time that had lapsed since the incident occurred.\nAs a result, OCIO did not rely on the oral testimony of employees when it could not be\nconfirmed exactly what type of information was stored on those systems. We confirmed from\nthe employees that Privacy Act/Sensitive information was in fact on the stolen computers.\nGovernment Auditing Standards affirms that oral testimony is an acceptable form of evidence.\nAlso, asking the user of the computer what type of information was on a computer at the time of\nthe theft is the only logical way to determine what could have been on the computer that has yet\nto be recovered. OIG stands firm that this is not only acceptable evidence, it is the only evidence\nthat is available.\n\x0cDavid M. Combs et al.                                                                        5\n\n\nRECOMMENDATIONS\n\n   1. FSA, NRCS, RD, and ITS need to effectively encrypt the entire hard drive and removable\n      media on all desktops and laptops to ensure that Privacy Act/Sensitive information is not\n      compromised due to stolen or lost equipment. Mobile computing devices should also be\n      physically secured.\n\n      Agency Response. OCIO-ITS agreed with the recommendation and stated that they are\n      working towards the goal of encrypting the entire hard drive. They have evaluated\n      products to accomplish this and expect a Blanket Purchase Agreement to be in place by\n      March 31, 2007. They anticipate completing the encryption solution by December 2007.\n      In addition, they have already issued guidance to the agencies on steps that can be taken\n      to encrypt files for an interim solution.\n\n      OIG Position. We concur with the actions outlined in OCIO-ITS response. However, in\n      order to reach management decision, please provide a detailed, time phased plan to\n      accomplish implementation of the solution throughout the country.\n\n   2. FSA, NRCS, RD, and ITS need to develop effective policies and procedures to notify the\n      OCIO, OIG, and potential affected parties when equipment is stolen and/or lost.\n\n      Agency Response. The OCIO-ITS agreed with the recommendation. OCIO-ITS stated\n      that they are in the process of reviewing and updating the current OCIO-ITS policy and\n      procedures relating to incident handling in accordance with Departmental and NIST\n      guidance.\n\n      OIG Position. We concur with the actions outlined in the OCIO-ITS response.\n      However, in order to reach management decision, please provide a detailed, time phased\n      plan for the completion of the policies and procedures.\n\n   3. OCIO needs to implement Departmentwide guidance regarding tracking and reporting\n      requirements for computer equipment that is stolen or lost. This should include\n      procedures for determining whether the subject equipment may have contained Privacy\n      Act/Sensitive information.\n\n      Agency Response. The OCIO-ITS agreed with the recommendation. After the OIG\n      Audit and OMB Memos, the OCIO issued additional incident tracking guidance to the\n      agencies.\n\n      OIG Position.        We concur with OCIO-ITS management decision on this\n      recommendation.\n\x0cDavid M. Combs et al.                                                                      6\n\n\n   4. OCIO should develop a process to verify agency data before relying on it.\n\n       Agency Response. This recommendation was added after the exit conference and the\n       OCIO has not officially responded.\n\n       OIG Position. In order to reach management decision on this recommendation, the\n       OCIO needs to provide a detailed, time phased plan when the policies and procedures to\n       verify agency submitted data will be done.\n\ncc:\nAudit Liaison Officers for:\n    Office of the Chief Information Officer\n    Natural Resources Conservation Service\n    Rural Development\n    Farm Service Agency\n\x0cExhibit A \xe2\x80\x93 Sample Sites\n\n\n       Location of Service Center   Number of Computers Reported as Stolen\n            Tangent, Oregon                         23\n       Colorado Springs, Colorado                    9\n            Arlington, Texas                         9\n           Avondale, Arizona                         7\n         Yuba City, California                       6\n          Stockton, California                       4\n          Frederick, Maryland                        3\n          Renton, Washington                         3\n            Caldwell, Idaho                          2\n                 Total                              66\n\x0cExhibit B \xe2\x80\x93 OCIO Response\n                            Exhibit B - Page 1 of 3\n\x0cExhibit B \xe2\x80\x93 OCIO Response\n                            Exhibit B - Page 2 of 3\n\x0cExhibit B \xe2\x80\x93 OCIO Response\n                            Exhibit B - Page 3 of 3\n\x0cInformational copies provided to:\n\n Sherry Linkins\n Audit Liaison Officer\n Office of the Chief Information Officer\n\n Dan Runnels\n Director of Operations Management\n  and Oversight Division\n Natural Resources Conservation Service\n\n John Dunsmuir\n Acting Director\n Financial and Management Division\n\n T. Mike McCann\n Operations Review and Analysis Staff\n\x0c'